Task 11.1

it seems that 'ip nat inside' is not required on interface Loopback0 of R5. Here is why:

1) There is no nat configured:

Rack1R5(config)#do ping
Target IP address: 192.10.1.254
Extended commands [n]: y
Source address or interface: 150.1.5.5
Sending 5, 100-byte ICMP Echos to 192.10.1.254, timeout is 2 seconds:
Packet sent with a source address of 150.1.5.5
.....
Success rate is 0 percent (0/5)

BB2#
ICMP: echo reply sent, src 192.10.1.254, dst 150.1.5.5
BB2#
ICMP: echo reply sent, src 192.10.1.254, dst 150.1.5.5
BB2#
ICMP: echo reply sent, src 192.10.1.254, dst 150.1.5.5
2) There is 'ip nat inside source list 105 interface FastEthernet0/0 overload , where

Rack1R5(config)#do sh access-l 105
Extended IP access list 105
10 permit ip 173.1.0.0 0.0.255.255 any
20 permit ip 150.1.0.0 0.0.255.255 any
and

Rack1R5(config)#do sh run int l0

interface Loopback0
ip address 150.1.5.5 255.255.255.0

Rack1R5(config)#do sh run int f0/0

interface FastEthernet0/0
ip address 192.10.1.5 255.255.255.0
ip nat outside
and pings are:

Rack1R5(config)#do p
Target IP address: 192.10.1.254
Extended commands [n]: y
Source address or interface: 150.1.5.5
Sending 5, 100-byte ICMP Echos to 192.10.1.254, timeout is 2 seconds:
Packet sent with a source address of 150.1.5.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Rack1R5(config)#do sh ip nat tr
Pro Inside global Inside local Outside local Outside global
icmp 192.10.1.5:9 150.1.5.5:9 192.10.1.254:9 192.10.1.254:9

BB2#
ICMP: echo reply sent, src 192.10.1.254, dst 192.10.1.5
ICMP: echo reply sent, src 192.10.1.254, dst 192.10.1.5
ICMP: echo reply sent, src 192.10.1.254, dst 192.10.1.5
ICMP: echo reply sent, src 192.10.1.254, dst 192.10.1.5
ICMP: echo reply sent, src 192.10.1.254, dst 192.10.1.5
as well as do telnets:

Rack1R5(config)#do sh ip nat tr
Pro Inside global Inside local Outside local Outside global
tcp 192.10.1.5:57196 150.1.5.5:57196 192.10.1.254:23 192.10.1.254:23
Just my thoughts.

Comments


  • I dont remember exactly, but since some version the router-generated traffic is automatically considered to be NAT inside.

    You may need ip nat inside/outside in rare cases of quirked NAT configurations, such as 

    http://blog.internetworkexpert.com/2008/07/15/a-curious-nat-scenario/


  • Hey guys,

    I thought that additional ACLs are needed to fulfill the task requirements.

    ... Configure your network so that BB2 only has access to your network when hosts from inside initiate the connection.

    So I created the following two ACLs:

    ip access-list ext OUTBOUND
    permit tcp any any reflect STATE
    permit udp any any reflect STATE
    permit icmp any any reflect STATE

    ip access-list ext INBOUND
    evaluate STATE
    permit tcp any host 192.10.1.5 eq 80
    permit tcp any host 192.10.1.5 eq 443
    permit tcp any host 192.10.1.5 eq 25
    permit tcp any host 192.10.1.5 eq 110
    permit tcp any host 192.10.1.254 eq 179 host 192.10.1.5
    permit tcp any host 192.10.1.254 host 192.10.1.5 eq 179

    int fa0/0 # in my case
    ip access-group INBOUND in
    ip access-group OUTBOUND out

    Honestly I think this requirement can not been solved. How can I provide access to the internal network only, if I initiate the connection from inside, but do not limit this access only to return traffic. Without the above ACLs I can open every connection, doesn't matter if a previous connection was initiated from inside.

    How close should my solution be to the task requirements? Such tasks are confusing me.

     

    Please help me - thank you very much!

    rantanplan

  • Hi,

     

    IF  I solved this task as below it will be a valid answer.

    ip nat pool ORIGINATE  192.10.1.5 192.10.1.5 prefix-length 30

    Standard IP access list NAT
        20 permit 173.1.0.0 0.0.255.255
        30 permit 150.1.0.0  0.0.255.255

     

    Please advise me . [Y][N]

     

    Thanks

    Khaled

  • rantanplan, the 192.10.x.0/24 is not in IGP. So it cannot work without the NAT as BB2 doesnt have your networks.

Sign In or Register to comment.